Is private medical information really safe at Planned Parenthood?

In part two of our series on medical information safety at abortion facilities, Live Action News looks into reported data breaches of protected health information at the nation’s largest abortion provider, Planned Parenthood, which receives half a billion dollars in taxpayer funds annually.

Planned Parenthood Privacy Breach

As documented in our last report, Planned Parenthood in Iowa exposed over 2500 patients when they carelessly left records behind after moving out of their Dubuque facility. In an online admission, Planned Parenthood warned their patients of “a potential breach of patients’ personal health information” in which records were “accessed by unauthorized parties.” Only weeks ago, Spokeswoman Rachel Lopez admitted that hard copies of patient information were inadvertently left at the building, including “patients’ full name, date of birth, mailing address, insurance information, social security number, medical record number, diagnosis, treatment, and lab results.” The documents were found by the building’s new owner May 6, but according to media reports, Planned Parenthood patients were not told about the privacy breach until July 1st.

If this were an isolated incident, perhaps it could be overlooked, but other privacy breach incidents at Planned Parenthood tell us that there is a problem.

Earlier this year, Planned Parenthood of Greater Washington and North Idaho notified patients about a data security “error” whereby e-mails were “inadvertently sent to the wrong addresses.”

In an online post Planned Parenthood referred to it as an “isolated occurrence”:

On June 28, 2016, some emails notifying individuals of an online portal were inadvertently sent to the wrong addresses. This caused individuals to receive another person’s email, which included the intended recipient’s first and last name. There was no other personal or health information in the email, and the recipient would not have been able to use the information to access the portal under another person’s name. Upon discovery on June 28, we took action to assess the situation and shut down the portal. We immediately determined it was an isolated occurrence, and it was resolved promptly. We have no evidence that any of the information involved in this incident has been misused in any way.

Planned Parenthood Data Security Update

But there can only be so many “isolated occurrences” before they aren’t so isolated.

A 2015 inspection at Planned Parenthood of South Atlantic conducted by the South Carolina Bureau of Health Facilities Licensing noted that “documentation of training in confidentiality of patient information and records, and protecting patient rights was not in the record or otherwise available for review for Staff C.”

The State of California’s public website on information about health care providers who fail to protect patients’ privacy lists two Planned Parenthood facilities among the offenders. One was Planned Parenthood of The North Valley in Chica, California, where a patient reported that following her visit she received two text messages from an anonymous number, reading, “Damn, you have an STD WOW.” The second message read, “LOL I know everyone. Nasty. My friend works at Planned Parenthood. I’m telling everyone.” It was discovered that a staffer had looked at the patient’s information because she was dating the patient’s ex-boyfriend and had concerns about an STD. According to a state report, the staff member was terminated from Planned Parenthood Shasta Pacific.

Managers at Planned Parenthood Napa Center were notified about a breach of confidentiality by Planned Parenthood’s receptionist, who admitted to state officials that she had looked at the private records because she was curious. She claimed she never told anyone what she had seen in the chart and had only seen the test result. However, the patient said that the staffer gave her a shocked look when she arrived, and later, one of the patient’s friends asked her if she was pregnant after finding out from a relative of the staffer. The employee who committed the breach was terminated — also from Planned Parenthood Shasta Pacific.

A Morristown, New Jersey, resident posed a question online about suing Planned Parenthood for an alleged privacy breach she experienced, writing:

I go to planned Parenthood a place where all your business is SUPPOSED to be confidential but the other day I was aware that a worker there told a family member of mine about my privacy. Can I sue?

Patients who feel their privacy has been compromised or violated by Planned Parenthood can file a complaint with the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Under the Freedom of Information Act, ProPublica (a Pulitzer Prize-winning investigative newsroom) requested documents on closed HIPAA complaints. Thanks to their research, Live Action News obtained copies of additional privacy breaches at Planned Parenthood which reveal that little is done to protect patients following a complaint:

1. In 2011, OCR received a complaint alleging that a worker at Planned Parenthood in New York “impermissibly disclosed” the complainant’s health information to her sister’s friend. OCR’s regional manager, Linda C. Colon, decided to “resolve the matter informally” and sent Planned Parenthood material explaining the Privacy Rule provisions relating to disclosures to family and friends.

2. In 2012, a complainant informed the governing body that she had received a call from Planned Parenthood of Northeast Ohio asking her to contact them regarding recent test results. During the call, it was determined that she was not the correct patient. Despite this fact, Planned Parenthood proceeded to send her a letter containing another person’s protected health information. Celeste H. Davis, who reviewed the complaint on behalf of the OCR, decided to “resolve the matter informally” by sending Planned Parenthood a checklist of reminders on how to “safely use the mail or fax machines when sending [protected health information].”

3. In 2013, OCR was notified that Planned Parenthood of Delaware violated the Federal Standards for Privacy of Individually Identifiable Health Information. The complainant alleged that Planned Parenthood had no curtains or separations between treatment areas, permitting patients to hear other patients’ protected health information. This case was also resolved “informally” by Barbara J. Holland who sent Planned Parenthood the “Privacy Rule provisions related to Incidental Uses and Disclosures Reasonable Safeguards and the Minimum Necessary Requirement.”

Planned Parenthood whistle blower

4. That same year, Melody Meanor, the former Health Center Manager of Family Planning at Planned Parenthood of Delaware in Wilmington went public to expose the center’s privacy policies. A video and transcript of her statement reads in part:

One area I attempted to correct was inadequate protection of patient confidentiality and privacy. At the beginning of my employment, I struggled to correct negative patient care violations that involved HIPAA violations. Untrained health center assistants simply did not understand the importance of protecting patient privacy. My attempts to train and discipline health center assistants were significantly undermined… The Medical Director, Dr. Carole Meyers should have put a stop to these sorts of behaviors. However, at the same time as she was serving as the Medical Director of Planned Parenthood of Delaware, Dr. Meyers was simultaneously employed by the Planned Parenthood Federation of America as an auditor inspecting other Planned Parenthood affiliates.

5. Another complaint was filed in 2013, this time against a Planned Parenthood in Chicago, Illinois. This complainant alleged that a Planned Parenthood employee impermissibly disclosed her private health information to a third party on Facebook. According to the complaint, on September 25, 2013, the Planned Parenthood staffer left a comment about a “procedure” the complainant had there, under the public posts on the Facebook page. Celeste Davis, regional manager for OCR, again decided to resolve the matter “informally” by sending Planned Parenthood material explaining the Privacy Rules.

6. A complaint received by OCR in 2014 alleged that a Trexlertown, Pennsylvania, Planned Parenthood violated the Federal Standards for Privacy Identifiable Health Information after sending a bill for a patient to the wrong person. After receiving the complaint, regional manager Barbara J. Holland (again) decided to resolve the incident “informally” through the provision of technical assistance to Planned Parenthood.

7. A 2014 complaint filed with the Texas Medical Board by former Planned Parenthood director, Abby Johnson, alleges that a Planned Parenthood in Texas e-mailed their abortionist the ultrasound information of their patients — but not in encrypted form:

This ultrasound would be emailed to Dr. [Paul] Fine’s mobile phone. Dr. Fine would email back from his phone that the patient was “okay” for a medication abortion. I am not aware that these emails containing protected health information were sent in encrypted form. Dr. Fine likely violated state and federal patient privacy laws by this practice (Texas Medical Records Privacy Act, Chapter 181, Health and Safety Code and HIPAA).

8.TAB, a records management company working with the Planned Parenthood Federation of America for over a decade, identified what they called “some serious problems” with the records of Planned Parenthood of Illinois which oversees 17 branch locations. In TAB’s document, they suggested that Planned Parenthood records were getting lost in the mail:

Planned Parenthood of Illinois was dealing with some serious problems—whenever they needed access to files stored offsite, retrieval was becoming increasingly costly and time consuming. When staff requested a record, they would have to wait for days to receive the file and often it would get lost in the mail.This not only compromised their ability to provide service to their clients, but it also opened them up to legal and compliance risks. The healthcare provider was also facing difficulty when it came to destroying records. Planned Parenthood needed a better way to manage its retention schedules and control the growth of its offsite records collections. After careful consideration, the Illinois chapter partnered with TAB in order to develop a more effective approach to record keeping.

But those records were seen by others not employed at Planned Parenthood:

Pre-authorized Planned Parenthood staff would be able to make a retrieval request either by phone or email and one of TAB’s consultants would find the document, scan the record and check it for quality control purposes. The file would then be named using existing meta data from Planned Parenthood’s functional classification system and sent to the requestor through a secure FTP site. Finally, the original patient file would be returned to the correct box.

TAB assisted Planned Parenthood in creating a “HIPAA-compliant FTP site” after walking the head of Planned Parenthood’s IT department through the process on the phone. In the end, 3000 boxes of medical records from Planned Parenthood’s off-site location in Chicago were shipped to TAB’s HIPAA-compliant facility in Mayville, Wisconsin.

THOUSANDS OF PLANNED PARENTHOOD PATIENTS AFFECTED:

A search for “Planned Parenthood” at the U.S. Department of Health and Human Services Office for Civil Rights, Breach Portal revealed a notice to the Secretary of HHS Breach of Unsecured Protected Health Information, which tracks breaches affecting 500 or more patients, which resulted in three Planned Parenthood locations affecting 18,206 patients:

HHS, Office of Civil Rights: Planned Parenthood Privacy Breach

An “improper disposal” breach submitted in February of 2015 shows that 5000 patients at Planned Parenthood Southwest Ohio where affected. Details on a downloadable PDF obtained by Live Action News state that:

On October 1, 2014, the Covered Entity (CE) mistakenly disposed of binders containing protected health information (PHI). The CE’s archived prescription dispensing logs and waived lab test logs were left in an unlocked closet after business hours and a custodian mistakenly put them in a trash dumpster. The following morning, the dumpster was emptied by the trash collector who took it to be buried with other garbage at a landfill that same day. The PHI involved in the incident included the names, dates of birth, lab results, and medications of approximately 5,000 individuals. After the CE filed the breach report, it determined that the incident was a nonreportable breach based on a four part breach assessment and a low probability that the PHI in the binders had been compromised.

An “unauthorized access/disclosure” breach mentioned previously in this post by Planned Parenthood of the Heartland affected 2506 of Planned Parenthood’s patients.

Another “unauthorized access/disclosure” breach reported in August of 2016 affected 10,700 Planned Parenthood of Greater Washington and North Idaho patients. No additional information is available yet on this incident.